CVE-2008-5141: allows local users to overwrite arbitrary files via a symlink attack

Debian Bug report logs - #506350
CVE-2008-5141: allows local users to overwrite arbitrary files via a symlink attack

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>

To: submit@bugs.debian.org

Subject: CVE-2008-5141: allows local users to overwrite arbitrary files via a symlink attack

Date: Thu, 20 Nov 2008 14:32:25 -0600

[Message part 1 (text/plain, inline)]

Package: flamethrower
Version: 0.1.8-1
Severity: important
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
flamethrower.

CVE-2008-5141[1]:
> flamethrower in flamethrower 0.1.8 allows local users to overwrite
> arbitrary files via a symlink attack on a /tmp/multicast.tar.#####
> temporary file.

Please note that a more careful inspection of the script reveals that even 
more insecure paths are used, not just the one mentioned in the CVE.
Searching for /tmp and $tmp_dir and the other vars taking $tmp_dir as their 
value will reveal the rest.

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5141
     http://security-tracker.debian.net/tracker/CVE-2008-5141

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 506350@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>

To: 506350@bugs.debian.org, 506350-submitter@bugs.debian.org

Subject: patch

Date: Fri, 21 Nov 2008 11:05:02 -0700

Thanks for the report. Does this patch look sufficient to you?

--- flamethrower-0.1.8.orig/bin/flamethrower
+++ flamethrower-0.1.8/bin/flamethrower
@@ -9,6 +9,7 @@
 
 use strict;
 use File::Path;
+use File::Temp;
 use Getopt::Long;
 
 use lib "/usr/lib/flamethrower";
@@ -23,7 +24,7 @@
 my $version_number  = "INS_VERSION";
 my $conf_file       = '/etc/flamethrower/flamethrower.conf';
 my $transport       = "udp-receiver";
-my $tmp_dir         = "/tmp/.flamethrower.$$";
+my $tmp_dir         = File::Temp::tempdir("/tmp/flamethrower.XXXXXX");
 
 
 my $version_info = <<"EOF";
@@ -283,13 +284,16 @@
     #
     my $udp_cmd;
     my $tar_cmd;
+    my $tar_fh;
+    my $tar_file;
 
+    ($tar_fh, $tar_file) = File::Temp::tempfile("/tmp/multicast.tar.XXXXXX");
     if($verbose) {
-        $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$";
-        $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+        $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file";
+        $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
     } else {
-        $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$ 2>/dev/null";
-        $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+        $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file 2>/dev/null";
+        $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
     }
 
     print "$udp_cmd\n" if($verbose);
@@ -298,7 +302,8 @@
     print "$tar_cmd\n" if($verbose);
     !system($tar_cmd) or die("FAILED: $tar_cmd");
 
-    unlink("/tmp/multicast.tar.$$");
+    close $tar_fh;
+    unlink("$tar_file");
 }
 
 


-- 
dann frazier

Message #16 received at 506350@bugs.debian.org (full text, mbox, reply):

From: "Raphael Geissert" <atomo64@gmail.com>

To: 506350@bugs.debian.org

Subject: Re: Bug#506350: patch

Date: Sun, 23 Nov 2008 17:18:58 -0600

Hi,

Sorry for the delay.

2008/11/21 dann frazier <dannf@debian.org>:
> Thanks for the report. Does this patch look sufficient to you?
>
> --- flamethrower-0.1.8.orig/bin/flamethrower
> +++ flamethrower-0.1.8/bin/flamethrower
> @@ -9,6 +9,7 @@
>
>  use strict;
>  use File::Path;
> +use File::Temp;
>  use Getopt::Long;
>
>  use lib "/usr/lib/flamethrower";
> @@ -23,7 +24,7 @@
>  my $version_number  = "INS_VERSION";
>  my $conf_file       = '/etc/flamethrower/flamethrower.conf';
>  my $transport       = "udp-receiver";
> -my $tmp_dir         = "/tmp/.flamethrower.$$";
> +my $tmp_dir         = File::Temp::tempdir("/tmp/flamethrower.XXXXXX");

You could even omit the template and let tempdir create a directory
with a random name under $TMPDIR (instead of hard-coding /tmp).

Same as for the other calls. Other than that it does look good.

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

P. J. O'Rourke  - "Never wear anything that panics the cat."

Message #21 received at 506350-close@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>

To: 506350-close@bugs.debian.org

Subject: Bug#506350: fixed in flamethrower 0.1.8-2

Date: Sat, 29 Nov 2008 02:02:04 +0000

Source: flamethrower
Source-Version: 0.1.8-2

We believe that the bug you reported is fixed in the latest version of
flamethrower, which is due to be installed in the Debian FTP archive:

flamethrower_0.1.8-2.diff.gz
  to pool/main/f/flamethrower/flamethrower_0.1.8-2.diff.gz
flamethrower_0.1.8-2.dsc
  to pool/main/f/flamethrower/flamethrower_0.1.8-2.dsc
flamethrower_0.1.8-2_all.deb
  to pool/main/f/flamethrower/flamethrower_0.1.8-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated flamethrower package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 21 Nov 2008 10:46:08 -0700
Source: flamethrower
Binary: flamethrower
Architecture: source all
Version: 0.1.8-2
Distribution: unstable
Urgency: low
Maintainer: dann frazier <dannf@debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description: 
 flamethrower - Multicast file distribution utility
Closes: 506350
Changes: 
 flamethrower (0.1.8-2) unstable; urgency=low
 .
   * Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
   * Rebuilding with current toolchain would cause executables to
     be installed in /usr/local/bin. Fix this by supplying an
     appropriate SITEPREFIX.
   * Don't package /usr/lib/flamethrower/auto subtree
   * Lintian cleanup:
     - Remove bogus (empty) line in lsb section of initscript
     - Use $(CURDIR) instead of $(PWD) in rules file, suggested by lintian
     - Don't ignore clean errors from make
     - Update Standards-Version to 3.8.0
     - Swap binary-arch/binary-indep rules
     - List debhelper under Build-Depends instead of Build-Depends-Indep
Checksums-Sha1: 
 2eab7dd9fa9e9cdc36e0db4e5bc529585b668134 972 flamethrower_0.1.8-2.dsc
 b8b9ba71192b0ca2292e31d4a8bd599fb9a09a1e 3433 flamethrower_0.1.8-2.diff.gz
 ba11ec90657bd71b4fd15d5e457514a36703d5b8 17000 flamethrower_0.1.8-2_all.deb
Checksums-Sha256: 
 52af61ea68e412ce6541fbc2ef528981788d7547411b62e39aa5e725ceab919a 972 flamethrower_0.1.8-2.dsc
 367039552533206f4160cccb6aff2e88d53891785e234c2fe459e203e3502be8 3433 flamethrower_0.1.8-2.diff.gz
 0528121c3e4bc5cdba033e7f9bf383c415f7ef58e127e95e693755a0cc4cb884 17000 flamethrower_0.1.8-2_all.deb
Files: 
 457edac4335566c9984989dc4c861323 972 admin optional flamethrower_0.1.8-2.dsc
 c4d4a9e9eb94386ebf77a2666eef08d5 3433 admin optional flamethrower_0.1.8-2.diff.gz
 3d094d6abd87ca216cc1d5b7b404b20c 17000 admin optional flamethrower_0.1.8-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJMKDEhuANDBmkLRkRAqM4AJ0UW+ExlZzAQ6Zg0A8kwK0jyqNZgQCfaWW6
KpZywHnfEWVk6QQKKPdSGGU=
=GrgU
-----END PGP SIGNATURE-----

Message #26 received at 506350-close@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>

To: 506350-close@bugs.debian.org

Subject: Bug#506350: fixed in flamethrower 0.1.8-1+etch4

Date: Fri, 05 Dec 2008 07:52:20 +0000

Source: flamethrower
Source-Version: 0.1.8-1+etch4

We believe that the bug you reported is fixed in the latest version of
flamethrower, which is due to be installed in the Debian FTP archive:

flamethrower_0.1.8-1+etch4.diff.gz
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4.diff.gz
flamethrower_0.1.8-1+etch4.dsc
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4.dsc
flamethrower_0.1.8-1+etch4_all.deb
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated flamethrower package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 21 Nov 2008 11:19:16 -0700
Source: flamethrower
Binary: flamethrower
Architecture: source all
Version: 0.1.8-1+etch4
Distribution: stable-security
Urgency: high
Maintainer: dann frazier <dannf@debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description: 
 flamethrower - Multicast file distribution utility
Closes: 506350
Changes: 
 flamethrower (0.1.8-1+etch4) stable-security; urgency=high
 .
   * Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
   * Rebuilding with current toolchain would cause executables to
     be installed in /usr/local/bin. Fix this by supplying an
     appropriate SITEPREFIX.
Files: 
 4a880e477706f57bcfb806eb46a81922 598 admin optional flamethrower_0.1.8-1+etch4.dsc
 f6263743cb41f4f75ab9f4dbc76a71a5 3138 admin optional flamethrower_0.1.8-1+etch4.diff.gz
 fbc0c1b237503a9d88521b444e4319e0 16880 admin optional flamethrower_0.1.8-1+etch4_all.deb
 04e1b6c5b4e72879e8aa69fcccb0491f 23485 admin optional flamethrower_0.1.8.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJM3AChuANDBmkLRkRAoMwAKCTdGlyebzWC3bEXpmvDfuZug36EwCdHlei
gOM0LVrNeXMInytSXParaRQ=
=etot
-----END PGP SIGNATURE-----

Message #31 received at 506350-close@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>

To: 506350-close@bugs.debian.org

Subject: Bug#506350: fixed in flamethrower 0.1.8-1+etch4

Date: Wed, 17 Dec 2008 21:02:58 +0000

Source: flamethrower
Source-Version: 0.1.8-1+etch4

We believe that the bug you reported is fixed in the latest version of
flamethrower, which is due to be installed in the Debian FTP archive:

flamethrower_0.1.8-1+etch4.diff.gz
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4.diff.gz
flamethrower_0.1.8-1+etch4.dsc
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4.dsc
flamethrower_0.1.8-1+etch4_all.deb
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated flamethrower package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 21 Nov 2008 11:19:16 -0700
Source: flamethrower
Binary: flamethrower
Architecture: source all
Version: 0.1.8-1+etch4
Distribution: stable-security
Urgency: high
Maintainer: dann frazier <dannf@debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description: 
 flamethrower - Multicast file distribution utility
Closes: 506350
Changes: 
 flamethrower (0.1.8-1+etch4) stable-security; urgency=high
 .
   * Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
   * Rebuilding with current toolchain would cause executables to
     be installed in /usr/local/bin. Fix this by supplying an
     appropriate SITEPREFIX.
Files: 
 4a880e477706f57bcfb806eb46a81922 598 admin optional flamethrower_0.1.8-1+etch4.dsc
 f6263743cb41f4f75ab9f4dbc76a71a5 3138 admin optional flamethrower_0.1.8-1+etch4.diff.gz
 fbc0c1b237503a9d88521b444e4319e0 16880 admin optional flamethrower_0.1.8-1+etch4_all.deb
 04e1b6c5b4e72879e8aa69fcccb0491f 23485 admin optional flamethrower_0.1.8.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJM3AChuANDBmkLRkRAoMwAKCTdGlyebzWC3bEXpmvDfuZug36EwCdHlei
gOM0LVrNeXMInytSXParaRQ=
=etot
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.